# Scoped sudo for the gitea_ci deploy user on the moments-worker host (frootmig).
# Installed by script/infra-setup.sh as /etc/sudoers.d/moments_worker_gitea_ci and
# verified with `visudo -cf`. See api-host.conf for the rsync-rule convention.

# --- file pushes (rsync --rsync-path='sudo rsync') ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/sysusers.d/moments.conf
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /usr/local/bin/moments-worker
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/moments/worker.env
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/systemd/system/moments-worker.service
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/systemd/system/moments-worker-cert.path
gitea_ci ALL=(root) NOPASSWD: /usr/bin/rsync * /etc/systemd/system/moments-worker-cert-reload.service

# --- service account + directories ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemd-sysusers
gitea_ci ALL=(root) NOPASSWD: /usr/bin/install -d -o root -g moments -m 0750 /etc/moments
gitea_ci ALL=(root) NOPASSWD: /usr/bin/install -d -o moments -g moments -m 0750 /var/lib/moments

# --- cert ACL, SELinux ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/setfacl -m u\:moments\:r /etc/pki/tls/private/*.pem
gitea_ci ALL=(root) NOPASSWD: /usr/sbin/restorecon -R /usr/local/bin/moments-worker /etc/moments /var/lib/moments

# --- service lifecycle ---
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl daemon-reload
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl enable --now moments-worker-cert.path
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl enable moments-worker.service
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl restart moments-worker.service
gitea_ci ALL=(root) NOPASSWD: /usr/bin/systemctl is-active --quiet moments-worker.service